HomePHISHINGBrowser In The Browser (BITB) attack

Browser In The Browser (BITB) attack

Browser in the Browser Attack– Nowadays, the quality of phishing attacks has improved so much that more hackers have taken phishing attacks to the next level since phishing attacks are extremely simple to execute in the world of hacking.

Today we will look at a well-made phishing tool called BITB. This tool was totally developed using javascript and CSS scripts, and it can only be hosted and utilised by linux devices and 000webhost.

What is browser in the browser attack?

The browser-in-the-browser attack takes use of the single sign-on method, in which you sign in to a third-party website using an existing account from a provider like Google or Facebook, but this time in a phoney sign-in prompt that displays in a different window.

How it works?

The browser in the browser attack (BITB) is the most recent type of phishing scam that obtains critical user information by simulating a browser window within a web browser.

A false pop-up window appears, asking the user for their credentials for signing into the website in the previous web browser window, resulting in identity theft.

Browser In The Browser (BITB) attack
work flow image

How to use Browser in the browser attack tool

Each folder has a script.js file, the beginning of the file has some parameters you can change:

  1. loadTITLE – The title display when loading (e.g. Sign in)
  2. TITLE – The title that shows up for the page (e.g. Sign in to your account now)
  3. loadDOMAINNAME – Domain name when loading (default “”)
  4. DOMAINNAME – Domain name you’re masquerading. (e.g. “https://accounts.google.com/“)
  5. DOMAINNAMEVERIFY – Domain name appears in ssl check (e.g. “accounts.google.com”)
  6. loadDOMAINPATH – Domain path when loading (default “about:blank”)
  7. DOMAINPATH – Domain path (e.g. “/auth/google/login”)
  8. PHISHINGLINK – Phishing link which will be embedded into the iFrame (e.g. “https://example.com“)
  9. loadLOGO – Path to the icon of the website when loading (default “../loading.gif”)
  10. LOGO – Path to the icon of the website you’re masquerading (default “../google.svg”)
  11. loadTIME – Loading time in milisec (it should be set 0.5-2s to make it more realistic)

To Do List

  1. Customize domain and phishing link
  2. Maximize mode that will turn into full screen
  3. Function for minimize button
  4. Ssl check
  5. Ssl certificate check
  6. Appearance effect more realistic
  7. Detect user color preference
  8. Other web platforms
  9. More languages
  10. Error page if cant load
  11. Responsive
  12. Fix some css, animation,…

How Can Businesses Avoid Browser-In-Browser Attacks?

Because SSO has presented organisations and consumers with limitless potential, ignoring its use is not a viable option.

Adding additional levels of security while deploying single sign-on (SSO) could assist firms in preventing browser in the browser attacks and mitigating other dangers.

In general, if you wish to defend yourself from this attack, you should avoid clicking on any unexpected links and avoid connecting your device to any public wifi network.


Leave a reply

Please enter your comment!
Please enter your name here

- Advertisment -

Most Popular

Recent Comments